If you own a business, it is important to have a cyber security policy. This is not only a guide and reference to be used internally with your employees, but also as a reference point to deal with any external data from customers.
Your Cyber Security policy should be thought of as a moving, changing entity that will need to be updated regularly to keep up with technological advancements, and any changes within your business.
Firstly no two cyber security policies will be the same. Your Cyber Security policy will be unique to your business, depending on your particular type of business, and what kind of data you deal with.
The first thing you need to do is to identify the particular risks for your business. If you are an accountant for example, your focus is on how you deal with customers’ personal information, bank details, IRD number etc.
Once you have worked to clarify your specific risks, you can then prepare for what to do if something goes wrong. Your IT Alliance member has knowledge of a wide variety of industries, and will be able to assist you to clarify what you need to be mindful of.
Having a clear plan in place, means that everyone in your organisation knows what to do, who is responsible for what, and what processes you have in place to mitigate the risks.
You will also need to create two cyber security policies. One, an internal one for employees, and the second one is a public one for customers.
The below information has been taken from the Cert nz website
Data
This should cover how you handle data safely and securely — both your business’s data and your customers’. Think about:
Systems
It’s important to identify what systems you have, and which ones are critical to your work. Consider:
Security and protection
Security and protection covers how your staff and customers access your systems and data. It means thinking about:
People and users
You need to think about what you consider to be acceptable use of your business’s systems. How do you expect your staff and your customers to interact with them? Make sure you set expectations so they know:
Physical devices and systems
When you think about protecting your business’s devices and systems, make sure you cover both:
You can set rules around how your staff can protect their devices against theft by defining guidelines for their use. As an example, you could have all staff protect their devices by:
Problems and incidents
You’ll need to define what you and your team will do when things go wrong. This means creating an incident response plan to map out what you’ll do during, and after, a security incident. It can be a stressful time for both you and your staff, so it’s good to be prepared in advance.
What next?
We can help you in creating a Cyber Security policy for your business. Reach out to our team here to discuss this further.